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O N=" 4 Our comments and questions on the paper 


DIGITALEUROPE represents a variety of industry actors actively involved in the 
development of medicines and related research. 

The complementarity between data protection and innovation is an 
objective that a correct understanding of the GDPR principles, concepts 
and rules should always strive to achieve, including in medicine. We 
welcome to opportunity to help to determine the upcoming Q&A of the EMA on 
the GDPR and the Secondary Use of Data for Medicines and Public Health 
Purposes”. 

Clarifying the existing data processing regulatory framework is a key step to build 
a Common European Health Data Space. 


General comments 


>> We urge the EMA to consider all sources for the secondary use of health 
data, besides clinical trials. Organisations derive data in scope also from 
clinical practice, such as from Electronic Health Records (EHRs), claims 
and registries (as per Figure 2 in the discussion paper). For example, 
researchers may wish to explore the data from patients admitted to 
hospitals across Europe with pneumonia symptoms in late 2019, to 
identify whether 2019-nCoV was present earlier than thought. This would 
require the secondary processing of patients’ data, in a way that was not 
foreseen when they were first admitted to the hospital. The EMA should 
expand on these other data sources in its upcoming Q&A, including by 
providing practical and industry-specific examples. 


>> The application of scientific research in accordance with Article 9(2)(j) of 
the GDPR is especially important for the secondary use of health data. It 
is a clear example of how to better unlock the potential of health data in 
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the EU and should be given more recognition in upcoming EMA 
consultation papers. 


>> Itis very important not to mix secondary use of data and compatibility, as 
this paper seems to suggest. They are two different aspects of the GDPR. 
Organisations can use data for secondary purposes without them being 
compatible purposes, provided there is an appropriate legal basis. 


Please find below more details on our recommendations. Our members stand ready 
to discuss and share our expertise and experiences. 


O N=" 4 Input and questions for the EMA on the nine key 
areas in the discussion paper 


Secondary use of health data 


There are regulatory divergences across the EU due to different applications of 
Article 89 of the GDPR across Member States. National governments can 
maintain or introduce further conditions, including limitations, on the processing 
of genetic or health data. 


>> What are for the EMA the specific activities that fall under the processing 
purpose of scientific research? 


>> Does the EMA intend to undertake initiatives to address the 
inconsistencies between the provisions of the GDPR and those of health- 
related local and national data protection regulations across the EU? 


In addition, the paper highlights the GDPR states that processing of personal 
data for purposes other than those for which the personal data was initially 
collected should be allowed only where the processing is compatible with the 
purposes for which the personal data were initially collected. This is true to the 
extent that the processing applies to the compatible purpose and Recital 50. It is 
key to consider that processing for secondary purposes is also possible on the 
grounds of a different legal basis, if the purpose is not compatible with the 
original one. Developing Codes of Conduct would clarify some of the current 
challenges around access, processing, use and re-use of health data.' 


1 DIGITALEUROPE recommendations on health data-processing elaborate on this aspect more in 
detail 
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Establishing the legal basis for processing personal data 


>> DIGITALEUROPE points out how Data Protection Authorities (DPAs)’s 
guidance often seems to ignore that the same processing activities may 
fall under different legal bases simultaneously — particularly if an 
extremely narrow scope is assigned to each basis. The same health data 
from the patient may be technically necessary to deliver a service, 
thereby falling under the contract legal basis, but also be processed for 
the controller's own or mandated scientific research activities, thus being 
covered under the legal basis of legitimate interest. 
We are also generally concerned that consent is being emphasised as 
the primary legal basis for processing in several scenarios. It is neither 
the only nor the default legal ground. For medical research, consent can 
have downsides today primarily due to issues of legacy data. 


>> On the justifications for processing of sensitive (health) data provided in 
the paper, we strongly emphasise the importance to add those in Art. 
9.2.(j), for which processing is necessary for archiving purposes in the 
public interest, scientific or historical research purposes. 


Presumption of compatibility 


As the paper points out, Recital 50 of the GDPR states that, where the 
processing is compatible, ‘no legal basis separate from that which allowed the 
collection of the personal data is required.’ Unfortunately, especially when 
consent is used for primary processing, there is still uncertainty on whether 
organisations need a legal basis for further processing. The industry needs more 
clarity on that. 


>> Can the EMA provide concrete examples of how Recital 50 is applied 
when the patient has given specific consent to one purpose? 


>> When is the compatibility of original and new purposes considered 
sufficient for the EMA, including when data is collected as part of routine 
clinical management? 


On the establishment of the presumption of compatibility for research purposes, 
the paper refers to the EDPS recent explanation for which data should not be 
used to support measures or decisions regarding any particular individuals. 


>> How can organisations use data for clinical decision support systems that 
help doctors in making decisions about the health of specific individuals 
based on aggregated patient data? 
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Pseudonymisation 


There are uncertainties regarding pseudonymisation and anonymisation as well 
as on the appropriate level of de-identification and anonymisation under given 
circumstances. Health policy-makers and regulators must mitigate these 
uncertainties as pseudonymisation and anonymisation are a fundamental 
safeguard enabling the secondary use of health data for scientific research 
purposes. We would support Member States adopting a consistent and 
internationally recognised approach to deidentification. 


>> What are the criteria by which the EMA consider information on the data 
subject as fully anonymised in research activities, as opposed to 
pseudonymised? 


>> What are the specific techniques that the EMA considers relevant for fully 
anonymising health data? What is the potential role of synthetic data? 


Data Retention 


The paper focuses on typical data retention approaches used for clinical trial 
data. It does not address sufficiently the issue of data retention of Electronic 
Health Records (EHRs), where there exists fragmentation in terms of 
requirements across Member States. Furthermore, whilst Member States have 
policies in place for the retention of data for primary purposes, we would 
welcome more clarity on retention periods where data is being used for 
secondary purposes. 


>> Does the EMA support the need for more harmonisation on the EHR data 
retention framework in the EU? What best practices would it suggest? 


>> Can the EMA elaborate on how existing data retention schemes should 
be applied for secondary uses of health data? 


Transparency 


Profit-seeking companies can indeed carry out scientific research and it is 
important to note that scientific research be defined broadly to not hinder medical 
innovation, as the GDPR provides. We would like answers on the following: 


>> Interpreting too strictly transparency at the time of collection of personal 
data risks to discourage future exploratory research. Critically, at the time 
data is collected all potential future uses of that data may not be known, 
and hence there is a need to balance transparency with the ability to 
conduct scientific research. For example, we could risk overwhelming 
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patients in a clinical setting by listing all potential future uses for their 
health data, when their main concern is receiving their primary treatment. 
This could lead to withdrawing of consent or confusion on the part of the 
patient. Does the EMA support transparency guidelines which better 
accommodate the potential use of personal data for future research 
activities whose specific goals are yet undefined at the time of data 
collection? 


>> Can the EMA offer specific examples of how organisations can provide 
transparency to individuals, particularly in the case of Real-World data 
projects? How does transparency function under conditions of 
retrospective data analysis where at the time of study many individuals 
may already be deceased? 


>> In addition to transparency through standard Informed Consent Forms 
(ICFs), can the EMA elaborate on guidelines for transparency on EHRs 
collection? 


Rights of the “data subject” 


The paper cites the “right to erasure”. Data subjects can request an organisation 
who processes their personal data to erase such data without undue delay. 
However, under certain circumstances organisations are permitted to reject such 
requests, like when the personal data in question is within the ‘public interest’ 
and the removal of such data may threaten the integrity of the dataset. 

As more data is being shared with multiple parties for more services, the 
difficulties of the right to erasure become evident. Emerging technologies further 
compounds such difficulties. For example, blockchain would make this right 
almost impossible as the technology relies on the input of data that is then 
transferred into a blockchain algorithm that is highly secured, incorruptible and 
cannot be tampered with. Therefore, the right to erasure renders blockchain 
technology itself mute. It is clear that the right to erasure is highly complex and 
can pose great difficulties for organisations if interpreted expansively. Therefore, 
we recommend that guidance be provided on the interpretation of the right to 
erasure with a focus on emerging technologies. 


>> Can the EMA elaborate on the interaction between the right to erasure 
and emerging technologies applicable to the field of medicine? 


Registries 


>> The European Commission launched a call for proposals to support the 
development of rare disease (RD) registries for the European Reference 


DIGITALEU ROPE” 


Networks (ERNs). What type of learnings can the EMA draw from the 
record-linkage efforts so far in this initiative? 


>> Building patient registries is fundamental to expand public health research 
information. Creating them requires a data linkage process that may 
increase the amount of data that can be combined for patient re- 
identification. Can the EMA provide examples on how to develop these 
fundamental registries while continuing to observe GDPR requirements? 


International Transfers 


DIGITALEUROPE believes international data flows and collaboration are both 
key assets of clinical research. A lesson learned from the COVID-19 pandemic is 
that international data transfers between researchers, labs and healthcare 
experts based on innovative technologies such as cloud computing, artificial 
intelligence and machine learning have improved real-time collaboration, the 
quality of data analytics and the speed of the research process for the sole 
benefits of protecting public health. 


>> Can the EMA provide further clarity that GDPR Article 49.1.d can serve 
as an applicable ground for international data transfers to 
disclose personal data to health authorities for health research and safety 
surveillance regarding pharmaceutical products? 


FOR MORE INFORMATION, PLEASE CONTACT: 
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About DIGITALEUROPE 


| 
DIGITALEUROPE represents the digital technology industry in Europe. Our members include I 
some of the world’s largest IT, telecoms and consumer electronics companies and national l 
associations from every part of Europe. DIGITALEUROPE wants European businesses and | 
citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the ! 
world’s best digital technology companies. DIGITALEUROPE ensures industry participation in l 
the development and implementation of EU policies. 
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Automation, Samsung, SAP, SAS, Schneider Electric, Sharp Electronics, Siemens, Siemens Healthineers, 
Sony, Swatch Group, Tata Consultancy Services, Technicolor, Texas Instruments, Toshiba, TP Vision, 
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National Trade Associations 


Austria: IOÖ Germany: BITKOM, ZVEI Slovakia: ITAS 
Belarus: INFOPARK Greece: SEPE Slovenia: GZS 
Belgium: AGORIA Hungary: IVSZ Spain: AMETIC 


Croatia: Croatian 

Chamber of Economy 
Cyprus: CITEA 

Denmark: DI Digital, IT 
BRANCHEN, Dansk Erhverv 
Estonia: ITL 

Finland: TIF 

France: AFNUM, Syntec 
Numérique, Tech in France 


Ireland: Technology Ireland 
Italy: Anitec-Assinform 
Lithuania: INFOBALT 
Luxembourg: APSI 
Netherlands: NLdigital, FIAR 
Norway: Abelia 

Poland: KIGEIT, PIIT, ZIPSEE 
Portugal: AGEFE 

Romania: ANIS, APDETIC 


Sweden: Teknikföretagen, 
IT&Telekomföretagen 
Switzerland: SWICO 

Turkey: Digital Turkey Platform, 
ECID 

Ukraine: IT UKRAINE 

United Kingdom: techUK 


